Google is scrapping Pwnium, its annual bug hunting event, and folding it into an existing year-round program in part to reduce security risks.
The company held Pwnium annually at CanSecWest, a security conference in Vancouver, to find security problems in its Chrome OS, Chrome browser and affiliated applications.
But Tim Willis of the Chrome Security Team wrote in a blog post that the annual event isn’t best for either researchers or the company.
“If a security researcher was to discover a Pwnium-quality bug chain today, it’s highly likely that they would wait until the contest to report it to get a cash reward,” Willis wrote. “This is a bad scenario for all parties. It’s bad for us because the bug doesn’t get fixed immediately and our users are left at risk.”
It also increased the chance that the same bug might be submitted by more than one researcher, he wrote. Researchers had to attend the conference as well.
Now, researchers who find bugs in Chrome products can submit them under the Chrome Reward Program, Willis wrote, which has been around since 2010.
Awards range from a minimum of US$500 up to $50,000, with an unlimited reward pool. But Willis cautioned that Google’s lawyers say the program is “experimental and discretionary” and could be canceled or modified.